In this article I’ll talk about a strange problem that occurred on my office computer after a power failure. A couple of days ago I’ve seen that the SCCM client had installed some updates and needed a reboot. I’m used to lock my office workstation everyday without shutting down or rebooting it for several days or weeks. I’ve repeatedly cancelled the system reboot for the pending updates because I didn’t had time to wait until they are installed and configured (they often take a long time). Today, after the power failure, I’ve found my computer shut down. Immediately after entering my credentials, I’ve seen that the network monitor icon from the right side was showing a rotating circle just like when trying to get its IP configuration.
My first impression was that there is a network problem and the computer cannot get the proper IP. I’ve restarted the DHCP client service and checked the IP configuration using the ipconfig /all command. Everything looked OK but, then I’ve discovered real problem regarding the computer’s memory consumption, the svchost.exe process was increasingly eating memory! In the beginning, it was consuming several hundreds of MB (the actual print screen):
After a couple minutes, the svchost.exe process jumped to 1GB, 2GB and soon it was eating all memory:
My computer got in a jammed state meaning that I couldn’t do much with it. I’ve used Rammap and Processexplorer tools to discover the real source of the problem. If you don’t know by now, svchost is a system process that hosts multiple services. Check out this previous article from IT training day in which I’ve explained the role and functionality of svchost. After I’ve seen that the process was eating all memory, I’ve ended its entire tree. To do this, open task manager, right click the process and press “End Process Tree“, just like in the following image:
I thought that the process would respawn and everything would return to normal. I was surprised to see that the process had started eating more and more memory again. My first reaction was to discover what services were instantiated by the process. There were about 6 or 7 but, one of them caught my eye, the Windows Management Instrumentation (Winmgmt) service. I’ve had problems previously on other machine with this service regarding updates in a SCCM infrastructure. I checked the C:\Windows\System32\wbem\repository folder for the size of the OBJECTS.DATA file. The size was pretty impressive, around 3 GB. Also, I’ve seen that a Corrupted.rec file with a size around 3GB was located in the same directory:
Now, my thought was that during the update/force restart process, the WMI repository got corrupted.
If you want to find out more about WMI check out this link from Microsoft’s website. All this time the memory consumption was at maximum and the circle was still rotating on the network icon.
I’ve opened a command prompt with administrative credentials and tried to do a repository reset by using the winmgmt /resetrepository command:
Immediately after pressing enter, I received the following error “The service cannot accept control messages at this time”. I’ve checked the Windows Management Instrumentation service which was in the “Stopping” state, this didn’t sound good. The taskkill command didn’t worked (taskkill /F /PID [process ID]). I also tried to end the svchost process tree and saw that the WMI service had “Stopped”. I’ve then started the service and retried to reset the repository but, with no success because the process got stuck again in the “Stopping” state. Tried to restart the computer and boot into “Safe Mode” and do a repository reset again but, with no luck!
I was bothered by the rotating circle from the network icon so, I’ve said “what the heck” and disconnected the network cable from the computer. Tried to kill svchost again, restarted the WMI service and reset the repository. The reset was successful so I rebooted the computer. Upon reboot, everything turned back to normal. I’ve checked again the repository location for the size of the new file. Now, there were two repository folders:
I’ve deleted the old folder (repository.001)
Don’t know the exact reason, maybe there was something about the pending updates and the force reset, maybe the computer had to contact the DHCP server regarding these updates, I don’t know for sure. Most probably the SCCM client had some problems regarding the pending updates and the workstation was trying to access the SCCM server. What I know is that everything got fixed on several computers by using this method.
Hope this article will help you resolve this annoying problem. Also, if you encountered this problem previously and figured another way to fix it, please add a comment and share your thoughts and if you know the exact cause for this behavior please tell me. If you’ve enjoyed the article share it to others, have a great day and stay tuned for the following articles.